Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-8220: CSI Inline Volume admission plugin does not log object name correctly #1499

Merged
merged 1 commit into from Mar 16, 2023
Merged

OCPBUGS-8220: CSI Inline Volume admission plugin does not log object name correctly #1499

merged 1 commit into from Mar 16, 2023

Conversation

dobsonj
Copy link
Member

@dobsonj dobsonj commented Mar 3, 2023

@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 3, 2023
@openshift-ci-robot
Copy link

@dobsonj: This pull request references Jira Issue OCPBUGS-8220, which is invalid:

  • expected the bug to target the "4.14.0" version, but it targets "4.13.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

https://issues.redhat.com/browse/OCPBUGS-8220
/cc @openshift/storage @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

@dobsonj: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot requested a review from Phaow March 3, 2023 17:56
@openshift-ci
Copy link

openshift-ci bot commented Mar 3, 2023

@dobsonj: GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

https://issues.redhat.com/browse/OCPBUGS-8220
/cc @openshift/storage @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dobsonj
Copy link
Member Author

dobsonj commented Mar 3, 2023

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 3, 2023
@openshift-ci-robot
Copy link

@dobsonj: This pull request references Jira Issue OCPBUGS-8220, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.14.0) matches configured target version for branch (4.14.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (wduan@redhat.com), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dobsonj
Copy link
Member Author

dobsonj commented Mar 3, 2023

/cc @openshift/storage

@openshift-ci
Copy link

openshift-ci bot commented Mar 3, 2023

@dobsonj: GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dobsonj
Copy link
Member Author

dobsonj commented Mar 3, 2023

GitHub didn't allow me to request PR reviews from the following users: openshift/storage.

:old_man_shakes_fist_at_bot:
/cc @jsafrane @gnufied @bertinatto

@dobsonj
Copy link
Member Author

dobsonj commented Mar 3, 2023
edited 

$ oc label namespace my-csi-app-namespace security.openshift.io/scc.podSecurityLabelSync=false
namespace/my-csi-app-namespace labeled
$ oc label --overwrite ns my-csi-app-namespace pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted
namespace/my-csi-app-namespace labeled
$ oc apply -f examples/simple
role.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged
rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged
configmap/my-config unchanged
sharedconfigmap.sharedresource.openshift.io/my-share-pod unchanged
Error from server (Forbidden): error when creating "examples/simple/03-pod.yaml": pods "my-csi-app-pod" is forbidden: my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged
Error from server (Forbidden): error when creating "examples/simple/04-deployment.yaml": deployments.apps "mydeployment" is forbidden: mydeployment uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged
Error from server (Forbidden): error when creating "examples/simple/05-daemonset.yaml": daemonsets.apps "my-ds" is forbidden: my-ds uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged
Error from server (Forbidden): error when creating "examples/simple/06-statefulset.yaml": statefulsets.apps "my-sts" is forbidden: my-sts uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged

$ oc label --overwrite ns my-csi-app-namespace pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted
namespace/my-csi-app-namespace labeled
$ oc apply -f examples/simple                       role.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged                       rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged
configmap/my-config unchanged
sharedconfigmap.sharedresource.openshift.io/my-share-pod unchanged
Warning: my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
pod/my-csi-app-pod created
Warning: mydeployment uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
deployment.apps/mydeployment created
Warning: my-ds uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
daemonset.apps/my-ds created
Warning: my-sts uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
statefulset.apps/my-sts created

@jsafrane
Copy link

jsafrane commented Mar 7, 2023

/lgtm
from storage perspective

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 7, 2023
@dobsonj
Copy link
Member Author

dobsonj commented Mar 7, 2023

/assign @soltysh
for approval

@Phaow
Copy link

Phaow commented Mar 9, 2023
edited

Pre-verify passed on 4.13.0-0.ci.test-2023-03-09-012607-ci-ln-54g67vb-latest
Using the pre-merged build test passed, the logs info improved.

Phaow@Phaow  ~/upstream/csi-driver-shared-resource   test-inlinevolume ●  oc apply -f examples/simple 
role.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged
rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod unchanged
configmap/my-config unchanged
sharedconfigmap.sharedresource.openshift.io/my-share-pod unchanged
Warning: my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
pod/my-csi-app-pod created
Warning: mydeployment uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
deployment.apps/mydeployment created
Warning: my-ds uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
daemonset.apps/my-ds created
Warning: my-sts uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
statefulset.apps/my-sts created

@Phaow
Copy link

Phaow commented Mar 9, 2023

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Mar 9, 2023
@dobsonj
UPSTREAM: <carry>: STOR-829: Add CSIInlineVolumeSecurity admission pl…
310f2c5 
…ugin

The CSIInlineVolumeSecurity admission plugin inspects inline CSI
volumes on pod creation and compares the
security.openshift.io/csi-ephemeral-volume-profile label on the
CSIDriver object to the pod security profile on the namespace.
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 14, 2023
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 14, 2023
edited by openshift-ci bot

@dobsonj: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

  • [310f2c5|UPSTREAM: : STOR-829: Add CSIInlineVolumeSecurity admission plugin](310f2c5): does not specify an upstream backport in the commit message

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

soltysh
soltysh approved these changes Mar 14, 2023
View reviewed changes
Copy link
Member

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/remove-label backports/unvalidated-commits
/label backports/validated-commits

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 14, 2023
@openshift-ci
Copy link

openshift-ci bot commented Mar 14, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj, jsafrane, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2023
@soltysh soltysh added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Mar 14, 2023
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 7d98b1a and 2 for PR HEAD 310f2c5 in total

@dobsonj
Copy link
Member Author

dobsonj commented Mar 14, 2023

/retest-required

3 similar comments
@dobsonj
Copy link
Member Author

dobsonj commented Mar 15, 2023

/retest-required

@dobsonj
Copy link
Member Author

dobsonj commented Mar 16, 2023

/retest-required

@dobsonj
Copy link
Member Author

dobsonj commented Mar 16, 2023

/retest-required

@openshift-ci
Copy link

openshift-ci bot commented Mar 16, 2023
edited

@dobsonj: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-agnostic-ovn-cmd 310f2c5 link false /test e2e-agnostic-ovn-cmd
ci/prow/4.11-upgrade-from-stable-4.10-e2e-aws-ovn-upgrade 310f2c5 link false /test 4.11-upgrade-from-stable-4.10-e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@soltysh
Copy link
Member

soltysh commented Mar 16, 2023

/override ci/prow/e2e-aws-ovn-serial
this is a known problem tracked in https://issues.redhat.com/browse/OCPBUGS-10395

@openshift-ci
Copy link

openshift-ci bot commented Mar 16, 2023

@soltysh: Overrode contexts on behalf of soltysh: ci/prow/e2e-aws-ovn-serial

In response to this:

/override ci/prow/e2e-aws-ovn-serial
this is a known problem tracked in https://issues.redhat.com/browse/OCPBUGS-10395

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 5d48b26 into openshift:master Mar 16, 2023
@openshift-ci-robot
Copy link

@dobsonj: Jira Issue OCPBUGS-8220: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-8220 has been moved to the MODIFIED state.

In response to this:

https://issues.redhat.com/browse/OCPBUGS-8220
/cc @openshift/storage @Phaow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dobsonj
Copy link
Member Author

dobsonj commented Mar 16, 2023

/cherry-pick release-4.13

@openshift-cherrypick-robot
Copy link

@dobsonj: new pull request could not be created: failed to create pull request against openshift/kubernetes#release-4.13 from head openshift-cherrypick-robot:cherry-pick-1499-to-release-4.13: the GitHub API request returns a 403 error: {"message":"You have exceeded a secondary rate limit and have been temporarily blocked from content creation. Please retry your request again later.","documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#secondary-rate-limits"}

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dobsonj
Copy link
Member Author

dobsonj commented Mar 16, 2023

/cherry-pick release-4.13

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Mar 16, 2023
Merged
@openshift-cherrypick-robot
Copy link

@dobsonj: new pull request created: #1515

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soltysh soltysh soltysh approved these changes

@Phaow Phaow Awaiting requested review from Phaow

@bertinatto bertinatto Awaiting requested review from bertinatto

@gnufied gnufied Awaiting requested review from gnufied

@jsafrane jsafrane Awaiting requested review from jsafrane

Assignees

@soltysh soltysh

@jsafrane jsafrane

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backports/validated-commits Indicates that all commits come to merged upstream PRs. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@dobsonj @openshift-ci-robot @jsafrane @Phaow @soltysh @openshift-cherrypick-robot @openshift-merge-robot